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Physical systems can fail. For this reason the problem of identifying and reacting to faults has 
received a large attention in the control and computer science communities. In this paper we study the 
fault diagnosis problem for hybrid systems from a game-theoretical point of view. A hybrid system 
is a system mixing continuous and discrete behaviours that cannot be faithfully modeled neither 
by using a formalism with continuous dynamics only nor by a formalism including only discrete 
dynamics. We use the well known framework of hybrid automata for modeling hybrid systems, and 
we define a Fault Diagnosis Game on them, using two players: the environment and the diagnoser. 
The environment controls the evolution of the system and chooses whether and when a fault occurs. 
The diagnoser observes the external behaviour of the system and announces whether a fault has 
occurred or not. Existence of a winning strategy for the diagnoser implies that faults can be detected 
correctly, while computing such a winning strategy corresponds to implement a diagnoser for the 
system. We will show how to determine the existence of a winning strategy, and how to compute it, 
for some decidable classes of hybrid automata like o-minimal hybrid automata. 



1 Introduction 

In modern complex systems continuous and discrete dynamics interact. This is the case of wide manu- 
facturing plants, agents systems, robotics and physical plants. This kind of systems, called hybrid in their 
behaviour, need a specific formalism to be analysed. In order to model and specify hybrid systems in a 
formal way, the notion of hybrid automata has been introduced J2l|22]. Intuitively, a hybrid automaton 
is a "finite-state automaton" with continuous variables that evolve according to dynamics characterizing 
each discrete state. In the last years, a wide spectrum of modeling formalism and algorithmic techniques 
has been studied in the control and computer science communities to solve the problems of simulation, 
verification and control synthesis for hybrid systems. Much scarce attention have been posed to the prob- 
lem of dealing with faults. When a hybrid system fail, the failure propagates throughout the system both 
in continuous and discrete evolutions. Nevertheless the interaction of continuous and discrete dynamics 
leads to the need of studying new theories for fault tolerance. 

A fault is a deviation of the system structure or the system parameters from the nominal situation [|6]. 
This implies that after the occurrence of a fault the system will have a behaviour which is different from 
the nominal one. Hence Fault Tolerance is the property of reacting to faults. In particular the analysis 
of fault tolerance consists in establishing if a given system is still able to achieve its tasks after the 
occurrence of a given fault, whereas the synthesis of fault tolerance resides in providing a given system 
the tools to react to a given faulty situation. The fault tolerance problem can be divided in two tasks: fault 
detection and isolation (FDI) and control redesign. FDI produces a diagnostic result including detection 
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and location of the fault, and if possible an estimate of the dimensions of the fault. In this paper we 
concentrate our attention to the problem of fault detection and isolation for hybrid systems. 

Fault tolerance and fault tolerant systems have been studied by the control community since the 
late '70s, as in lfT6ll where fault detection for chemical processes is introduced, and later in [25]. One 
of the first surveys on fault detection is [17 ], which is dated 1984, and where some methods based on 
modelling and estimation are introduced. Much later the interesting book ll24l collects some results on 
Fault Detection and Isolation (FDI) methods. For a complete outline of the recent improvements in this 
field, it is worth citing ll26l where a quite new approach to fault detection in industrial (batch) systems is 
introduced and [19], an overview on fault tolerant techniques for flight control. 

In the computer science community fault tolerance is also known as Fault localization and correction, 
and it is usually viewed as the problem of finding and fixing bugs in a software program or in a digital 
circuit. One of the most systematic approaches in this area is Model Based Diagnosis, where an oracle 
provides an example of correct behavior that is inconsistent with the behavior of the faulty system, and 
a correct model of the system is usually not necessary [11]. Model based diagnosis can be distinguished 
between abduction-based and consistency -based diagnosis. Abduction-based diagnosis 11271 assumes that 
it is known in which ways a component can fail. Using a set of fault models, it tries to find a component 
and a corresponding fault that explains the observation. Consistency-based diagnosis lfT2l l28l considers 
the faulty behavior as a contradiction between the actual and the nominal behavior of the system. It does 
not require the possible faults to be known, and it proceeds by dropping the assumptions on the behavior 
of each component in turn. If this removes the contradiction, the component is considered a candidate 
for correction. More recently, applicability of discrete game theory to fault localization and automatic 
repair of programs have been proposed in irT8l . In this alternative setting, the specification of the correct 
behaviour is given in Linear Temporal Logic and the correction problem is stated as a game, in which 
the protagonist selects a faulty component and suggests alternative behaviours. 

Not many attempts have been made until now in the field of fault diagnosis for hybrid systems. This 
can be due in first instance to the hard task of state estimation in this kind of systems. Indeed to know 
if a fault has occurred it has to be detected if the system is behaving in an unusual way, that is based on 
the knowledge of the state in which the system is working. When dealing with hybrid systems a state 
estimator must provide both the continuous and the discrete state. The accomplishment of this task is 
generally difficult because of the coupling of the two dynamics. 

Among the first methods for fault detection of hybrid systems it is worth citing the ones presented 
in ll23l and ll29l . These two methods are quite different, because they are based on opposite models of 
hybrid systems. The first one deals with mixed logical dynamical (MLD) systems, and mainly with faults 
on the continuous dynamics, whereas the second one uses quantised systems, then it deals mainly with 
the discrete part. The method introduced in [13] presents some results based on Hybrid Input/Output 
Automata [21] and extends the theory of diagnosability for discrete events systems to the hybrid case. 
As usual in this kind of discrete event approach to hybrid systems, the two dynamics are kept separated, 
which means that the diagnoser has to first check if some fault has occurred in the current (discrete) 
mode, then to check the continuous dynamics inside the mode, finally a supervisor will decide which 
kind of fault has occurred and where. Nevertheless the diagnosability is tested on the hybrid dynamics, 
using the notion on hybrid traces. 

In this paper we choose to start from the modeling framework of ll2D . where Hybrid Automata 
assume a distinction between internal and external actions and variables. We add faults to this model, by 
using a distinguished fault action. This is not a restrictive assumption, since every kind of fault can be 
modeled as an internal action of an automaton, supposing the fault action leads from a nominal state to a 
faulty one in the system. We assume that after a fault the system remains in its faulty situation and never 
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recovers. 

We choose to use game theory applied to fault diagnosis of hybrid systems because it allows us not 
to split the continuous and the discrete behaviours. A hybrid game is a multiplayer structure where the 
players have both discrete and continuous moves and the game proceeds in a sequence of rounds. In 
eveiy round each player chooses either a discrete or a continuous move among the available ones QUI . 
Hybrid games has been successfully applied to solve the controller synthesis problem for timed [4 1 and 
hybrid automata E][T5]], and to the fault diagnosis problem for timed automata [9 |. In our setting we 
model the fault diagnosis problem as a game between two players, the environment and the diagnoser. 
The environment controls the evolution of the system and chooses whether and when a fault occurs. The 
diagnoser observes the external behaviour of the system and announces whether a fault has occurred or 
not. Existence of a winning strategy for the diagnoser implies that faults can be identified correctly, while 
computing such a winning strategy corresponds to implement a diagnoser for the system. In contrast with 
the usual definition of hybrid game, our game is asymmetric, since the environment is more powerful 
than the diagnoser, and is under partial observability, since the diagnoser is blind to the value of internal 
variables and to the occurrence of internal events. We define two notions of diagnosability, and we prove 
that the fault diagnosis problem is solvable for the weakest notion of diagnosability for all classes of 
hybrid automata that admit a bisimulation with finite quotient that can be effectively computed. 

2 Hybrid Automata with Faults 

Throughout the paper we fix the time axis to be the set of non-negative real numbers M + . An interval I 
is any convex subset of M + , usually denoted as [fi,?2] = {t G M + : t\ ^ t ^ ?2j-- For any interval / and 
t G E+, we define I + t as the interval {t'+f.t' £ I}. 

We also fix a countable universal set V of variables, where every variable v G V has a type Type(v) 
which defines the domain over which the variable ranges. Elementary types include booleans, integers 
and reals. Given a set of variables V C V, a valuation over V is a function that associate every variable 

in V with a value in its type. We often refer to valuation as states, and we denote them as x,y,z, The 

set Val(X) is the set of all valuations over X. Given a valuation x and a subset of variables Y C X, we 
denote the restriction of x to Y as x|Y. The restriction operator is extended to sets of valuations in the 
usual way. 

A notion that will play an important role in the paper is the one of trajectory. A trajectory over a set 
of variables X is a function x : / h-> Val(X), where / is a left-closed interval with left endpoint equal to 0. 
With dom(r) we denote the domain of X, while with x.ltime (the limit time of t) we define the supremum 
of dom(r). The, first point of a trajectory is x.fval = t(0), while, when dom(r) is right-close, the last 
point of a trajectory is defined as x.lval = x{x.ltime). We denote with Trajs(X) the set of all trajectories 
over X. Given a subset Y C\X, the restriction of x to Y is denoted as x\Y and it is defined as the trajectory 
x' : dom(r) h-» Val(F) such that x'(t) = x{t)\Y for every t G dom(r). 

A trajectory x' is a prefix of another trajectory x if and only if x'.ltime ^ x.ltime and x'{t) = x(t) 
for every t G dom(t'). Conversely, we say that x' is a suffix of x if there exists t G M + such that 
x'.ltime = x.ltime — t and x'{t') = x(t' +t) for every t' G dom(f'). Given two trajectories X\ and T2 such 
that Xy.lstate = X2-fstate, their concatenation X[ ■ X2 is the trajectory with domain dom(ri) U (dom(T2) + 
Xi.ltime) such that Ti • X2(t) = X\(t) if t G dom(Ti), Ti • X2(t) = T2O — X\.ltime) otherwise. We extend the 
concatenation operation to countable sequences of trajectories in the usual way. 

We model hybrid systems with faults by using the formalism of Hybrid Automata (HA) as defined by 
Lynch, Segala, and Vandraager in ETI . enriched with a distinguished fault action, and with a partition of 
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the state space into faulty and non-faulty states. We assume a single type of faults for simplicity reasons. 
However, all the results presented in the paper can be easily generalized to a finite number of faults. 

Definition 2.1. A Hybrid Automaton with Faults is a tuple A = (W,X, Q, Qf, ®,E,H,f,D, 7), where: 

• W and X are two finite sets of external and internal variables, disjoint from each other. We define 
V = WUX; 

• Q Q Val(X) is the set of states; 

• 6/CQm the set of faulty states. We define Q n the set of non-faulty states such that Q = Q n ^Qf 
and <2„n<2/ = 0. 

• © Q Qn is a nonempty set of initial states; 

• E and H are two finite sets of external and internal actions, disjoint from each other. We define 
A = EUH; 

• f £ H is a distinguished fault action; 

• D CgxAx Qis the set of discrete transitions respecting the following properties: 
Dl for every x G Q n , there exists x 1 G Qf such that (x,f,x') G D; 

D2 for every (x,f,x r ) G D, x G Q n and x' G Qf; 

D3 for every (x,a,x') G D such that a / /, x G Qf iffx' G Qf; 

• 7 is a set of trajectories on V. Let xfstate = x.fval\X and x.lstate = x.lval\X, if % closed: we 
require 7 to respect the following properties: 

Tl faulty state invariance: for every X, either %{t)\X G Qf for every t G dom(T), or %{t)\X G Q n 

for every t G dom(T); 
T2 prefix closure; for every %' prefix of z, %' G T; 
T3 suffix closure; for every %' suffix of T, x' G 1; 

T4 concatenation closure: for every (possibly infinite) sequence of trajectories Xo,X\,X2, ■ ■ ■ G T 
such that Xi.lstate = Xi + \.f state, the concatenation Xq ■ X\ ■ X% ■ . . . G T; 

Condition Dl implies that a fault can occur at any time of the evolution. Conditions D2 and D3 implies 
that the only discrete action that can switch between non-faulty and faulty states is the fault action /, 
while condition Tl implies that trajectories cannot switch between faulty and non-faulty states. Condi- 
tions T2, T3, and T4 express some natural closure properties on 7. 

Notice that, following the same approach as Lynch, Segala, and Vandraager, we have defined the state 
of a Hybrid Automaton with Faults to depend only on the values of the internal variables X. However, 
the choice of the set of trajectories Tcan constrain the admissible values for the external variables in W . 
For this reason, we define the set of extended states as S = {v G Val(V)|3T G 7 s.t. x.fval = v}. By Tl 
we have that S\X = Q, and thus the definition of extended states is sound. The set of faulty extended 
states Sf and the set of non-faulty extended states S n can be defined in a similar way. 

Given a set of variables V and a set of actions A, a (V A)- sequence is a possibly infinite sequence 
a = x§a\X\aiX2 ■ ■ • such that 

1. Xj is a trajectory on V, for every i ^ 0, 

2. a; is an action in A, for every i ^ 0, 

3. if a is finite then it ends with a trajectory, and 

4. if Xi is not the last trajectory of a, then dom(T,) is right-closed. 

If V' C V and A' C A, then the (V ,A')-restriction of a (denoted a\(V',A') is the (V',A')-sequence 
obtained by first projecting all trajectories of a on the variables in V', then removing the actions not in 
A', and finally concatenating all adjacent trajectories. (V,A)-sequences are used to give the semantics of 
Hybrid Automata in terms of executions and traces. 
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Definition 2.2. An execution of a Hybrid Automaton A from a state x G Q is a (V,A)-sequence a = 
XQaQX\a\Xia2 . . . such that: 

1. every T/ is a trajectory in T; 

2. Xq. f state = x; 

3. if Xi is not the last trajectory in a, then Xi.lstate A Xi + \.f state, with a^A. 

The corresponding trace, denoted trace(a), is the restriction of a to external variables and external 
actions. 

We say that an execution a = XQa$X\a\X2a2 ■ ■ ■ is faulty if for some i ^ 0, a ; - = /. An execution a is 
maximal if it starts from a state in and either it is infinite or its last trajectory x n is such that (i) there 
exists no trajectory x' G Tsuch that x n is a prefix of x', and (ii) there exists no discrete transition (x,a,x') 
with x = x n .lstate. Moreover, we say that an execution a is progressive if it is infinite and it contains an 
infinite number of occurrences of external actions. Given a Hybrid Automaton A, we denote by Exec(A) 
the set of all maximal execution of A, and by Traces(A) the set of all maximal traces of A, that is, the 
set {trace(a) : a G Exec(A)}. A is progressive if all executions in Exec(A) are progressive. 

We say that a hybrid automaton with faults is diagnosable if (maximal) faulty executions can be 
distinguished from non-faulty ones by looking at the corresponding traces. 

Definition 2.3 (Diagnosability). We say that a Hybrid Automaton with Faults A = (W,X,Q,Qf,&,E, 
H,f,D, T) is diagnosable if for any two maximal executions (X\ , <Xi G Exec(A), ifcti is faulty then either 
Gt2 is faulty or trace (ai) ^ trace(a-i). 

The above definition of diagnosability is very general, and can be applied to a large class of faults, 
involving both the continuous and the discrete dynamics of the system. However, solving the fault- 
diagnosis problem can be very complex, if not impossible at all, under this definition. 

In this paper we consider a weaker notion of diagnosability, that we call time-abstract diagnosabil- 
ity, for which the fault-diagnosis problem can be solved in a simpler way, leaving the treatment of the 
stronger diagnosability notion for a subsequent paper. We assume the system to be progressive, and we 
define the diagnoser as some kind of finite-state digital device, that monitors the evolution of the sys- 
tem by reacting to external actions and by measuring the values of external variables with a fixed and 
finite precision. We formally define the latter restriction by introducing the notion of observation for the 
external variables. 

Definition 2.4. Given the set of external variables W of a hybrid automaton with faults A, an observa- 
tion ofW is any finite partition = {0\, . . . ,02} o/Val(W). We call the elements Oi of the partition 
observables for W. 

In this setting, we say that a progressive system is time-abstract diagnosable if faults can be deter- 
mined only by looking at the observables and at the occurences of external discrete actions, without 
considering the delays and the trajectories between them. To formally define such a notion, we first need 
to define untimed observation traces for hybrid automata. 

Definition 2.5. Given a trace j8 = XQaoXiaiX2a2 ■■ ■ of a Hybrid Automaton A, and an observation for 
W, we define the corresponding untimed observation trace as the sequence untime(P) = C?o«oOia , iC?2«2 • • • 
such that Xifval G Oifor each i ^ 0. Given an execution a of A, we define utrace(a) = untime{trace{a)). 

Definition 2.6 (Time-abstract diagnosability). We say that a Hybrid Automaton with Faults A = (W,X, 
Q,Qf, &,E,H,f,D, T) is time-abstract diagnosable if it is progressive and, for any two maximal execu- 
tions Gt\,a,2 £Exec(A), ifai isfaulty then either 0C2 is faulty or utrace(a\) ^utrace((X2)- 
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Since utrace(a,\) ^ utrace(a2) implies that trace(a,\) / trace(a-i), a hybrid automaton that is time- 
abstract diagnosable is also diagnosable, but the converse does not necessarily hold. Indeed, any fault 
that do not change the sequence of discrete actions performed by the system, but only the delays or the 
continuous trajectories between them is not time-abstract diagnosable. 

3 The Fault Detection Game 

In this section we introduce the key notion of Fault Detection Game (for time-abstract fault diagnosis), 
played on a Hybrid Automaton with Faults A by two players, the Environment and the Diagnoser. A 
position in the game is a pair (v,d) G Val(V ) x {yes, no}, such that v is an extended state of A. Given a 
current position (\,d), we distinguish between the following kind of moves: 

1. Diagnoser move: the Diagnoser chooses an answer d' G {yes, no}. The game continues from 
position (y,d') with an Environment move, and we denote this by (v, d) ^ iy,d'). 

2. Environment move: the Environment chooses one of the following possible moves 

(a) two valuations v',v" G Val(V), a trajectory X G T, and an external action e G E such that 
x.fvcd = v, x.lval = v", and \"\X A- \'\X. The game continues from position (\',d) with a 
Diagnoser move, and we denote this by (v, d) — > (\',d); 

(b) two valuations v',v" G Val(V), a trajectory x G 1, and an internal action h G H such that 

x.fval = v, X.lval = v", and \"\X \ \'\X. The game continues from position (\',d) with an 
Environment move, and we denote this by (\,d) A> (v', d). 

Notice that the Fault Detection Game is is asymmetric: in our framework the environment is more 
powerful than the diagnoser, since it can choose the continuous trajectory to follow and prevent the 
diagnoser to move by choosing an internal action. Moreover, the game is also under partial observability: 
as formally stated in the following, the diagnoser is blind to the value of internal variables and to the 
occurrence of internal events. 

Definition 3.1 (Run of the Fault Detection Game). A run of the game is an infinite sequence p = 
(vo,fi?o) (vi,rfi) — ^> • • • such that: 

1. d{)= no, 

2. m\ is a diagnoser move, 

3. for every i 1, (v,_i , — ^ (v,_i , is a valid move of the game; 

4. for every i > I, m,- is a diagnoser move if and only ifm^\ is an environment move with m,_i ^ H. 
A run is winning for the diagnoser if one of the two conditions hold: 

• either for each i 1, m, ^ / and, for each j ^ 1, dj = no, or 

• there exists i ^ 1 such that m; = / and j > i such that dj = yes. 

Given an observation for the external variables, the corresponding observation of a run p is a 
sequence obs(p) = (Oo,do) {0\,d\) . . . obtained from p by replacing every maximal sequence of 

environment moves [\j,dj) > ... > (\j + k,dj+k) with {Vj,dj) > (\j + k,dj+k) and by restricting 

every position (\j,dj) to (Oj,dj), where Oj is the unique observable such that v/|W G Oj. We denote by 
Obsf(A) the set of finite observations for the Fault Detection Game played on A. A strategy is a function 
that tells the Diagnoser which move to choose given a finite observation. 

Definition 3.2. A strategy is a partial function X from Obsf(A) to {yes, no}. 
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The strategy tells the diagnoser what answer to give at the current moment. Let p be a run of the 
game, a = obs(p) and let (7; = (Oo,do) — > ■■■ (Oi,dj) ... be the prefix of a of length i. We say 
that p is consistent with the strategy A when, for all i, if A (a, ) = d then either m, + i = d or is an 
environment move. A strategy A is winning from a state x £ Q if for all v such that \\X = x, all runs 
starting in (v,no) compatible with A are winning. The set of winning states is the set of states from 
which there is a winning strategy. 

We can now define the fault diagnosis problems we will study. 

Definition 3.3 (Time-abstract Diagnosability in a class <£ of automata). Given a hybrid automaton with 
faults A G <£, determine whether there exists a winning strategy in the Fault Detection Game played on 
A from the initial states 0. 

Definition 3.4 (Time-abstract Diagnoser synthesis in a class £ of automata). Given a hybrid automaton 
with faults Ag£, determine whether there exists a winning strategy in the Fault Detection Game played 
on A from the initial states &, and compute such a strategy if possible. 

4 Computing Strategies 

In this section we will show how to solve the Time-abstract Diagnosability and the Time-abstract Diag- 
noser synthesis problems for some relevant classes of hybrid automata, exploiting the notion of bisimu- 
lation. Such a key notion has been introduced in many fields with different purposes (for instance, van 
Benthem proposed it as an equivalence principle between structures 0). In our setting, we use bisimula- 
tion as an equivalence principle between states of a hybrid automaton. Roughly speaking, two extended 
states v and v' are bisimilar if every behaviour that starts from v can be matched by starting from v' and 
vice versa. 

Definition 4.1 (Time-abstract bisimulation). Given a Hybrid Automaton with Faults A = (W,X,Q, 
Qf,&,E,H,f,D,7), a time-abstract bismulation is an equivalence relation ~C 5x5 such that for every 
Vi , Vj , V2 £ S, the following two conditions are satisfied: 



Given a hybrid automaton A and a time-abstract bisimulation ~CSxS, we say that two extended 
states v,v'gS are bisimilar if and only if v ~ v'. The equivalence class of\, denoted by [vj^ is defined 
as the set [vj^ = {\' € 5|v' ~ v} (in the following, we will omit the ^ subscript when clear from the 
context). A time-abstract bisimulation naturally induces a partition of 5 into equivalence classes, called 
bisimulation quotient of A. 

Definition 4.2 (Bisimulation quotient). Given a Hybrid Automaton with Faults A and a time-abstract 
bisimulation ~C 5x5, the bisimulation quotient of A under ~ is defined as the set = {[v]^|v € 5}. 

A bisimulation ~ has finite index if the number of equivalence classes in 5/^ is finite, and of infinite 
index otherwise. We say that a class £ of hybrid automata admits a bisimulation with finite quotient if 
for every A € £ there exists a time-abstract bisimulation ~ with finite index. We say that such quotient 
can be effectively computed if there exists an algorithm that can compute ~ and 5/^ for every A G £ In 




and v j — > y'2 ) , and 
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the following we concentrate our attention on the classes of hybrid automata that admits a bisimulation 
with finite quotient that can be effectively computed, and we will prove that the Diagnosability and the 
Diagnoser synthesis problems are decidable in this case. 

In the case of hybrid automata with faults, we have that the equivalence classes of a bisimulation 
respect the partition between faulty and non-faulty states, as formally proved by the following lemma. In 
the following, we denote with S//~ the set of equivalence classes of the faulty extended states of A, and 
with S n /~ the set of equivalence classes of the non-faulty extended states of the automaton. 

Lemma 4.3. Given a hybrid automaton with faults A and a time-abstract bisimulation ~C S x S, we 
have that for every v G S n and v' € 5/, v ^ v'. 

Proof. Suppose by contradiction that there exists vi G S n and \[ G 5/ such that vi ~ \[. By Dl we have 
that there must exists \2 G 5/ such that (vi \X,f,\2\X) G D. By the definition of bisimulation, this implies 
that there exists \ 2 G S such that (v'j \X,f,\' 2 \X) G D, in contradiction with D2, since v'j \X EQf. □ 

Given an observation of Val(W), we say that a bisimulation ~C,?x5 respects if for every 
v, v' G S, v ~ v' implies that \\W and v'\W belong to the same observable of 0. From now on we assume 
that ~ respects the observation of external variables. 

We are now ready to define the key notion of state estimator of a hybrid automaton with faults. 
Intuitively, a state estimator is a finite automaton that given an untimed observation trace /? of A, provides 
the set of states that can be reached by A under all possible executions compatible with /3 . 

Definition 4.4 (State estimator). Given a hybrid automaton with faults A = (W,X,Q,Qf,®,E,H,f,D, 
7), an observation for the external variables, and a bisimulation with finite index ~C S x S that 
respects 0, we define the state estimator of A as the transition system £ = (2^/~,n,A) such that: 
El 2 s I ~ is the power set ofS/^; 
E2 IT C 2 s I ~ is the set of initial states defined as 

IT = {S G 2 S /~|36> G s.t. Vv G S, (\\X G 0Av[ff £0)=> [v] G S}; 
E3 A : 2 S I~ x A x \-> 2 S I~ is the transition function such that A(S,a, O) = §' iff for all finite executions 

a = To^o • • • Un^n of A, 

(a n = a A [Tot/vaZ] G § A utrace(a) = O aO) \x n .jvaT\ G §'. 

The state estimator is a deterministic automaton, since the transition function associate a unique 
successor state to every pair of input symbols (a,0). Hence, with a little abuse of notation, we can 
define the function A on untimed observation traces as follows. Given an untimed observation trace 
j3 = OaaoOiai . . . and a state S G 2 s /~ , we define A(S,/3) is the sequence of estimator states So§i . • . 
such that (i) So = S, and (ii) S,- = A(S,-_i,a/_i,0j) for all i ^ 1. Moreover, we define A(j8) = A(So,j3), 
where So is the unique state in IT such that So = { [v] G S/~ s.t. \\X G and \\W G Oq}- The following 
lemma proves that the state estimator is correctly defined, and can be seen ad a consequence of the fact 
that time-abstract bisimulation preserves traces. 

Lemma 4.5. Given a hybrid automaton with faults A, and a state estimator £ for it, let be a finite 
untimed observation trace of A, and A(j8) = SoSi . . . S„. Then, for every [vj G S/~, [v] G S„ if and only 
if there exists a finite execution a = To^O^l^l ■■■a m -\^m such that utrace(a) = j8, TQ.fstate G 0, and 
T m .fval G [v]. 

Proof. Let j8 = OoaoOiai . . . a n -\O n be a finite untimed observation trace of A. We prove the lemma by 
induction on the length of j3 . 

If n = then /3 = Oq and the claim trivially follows from the definition of A(j8). 
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If n > 0, let j6„_i = OoaoOiai . ..a n -iO n -\, and suppose by inductive hypothesis that the claim holds 
for /3„_i. Now, let a = Tq^o • ■ -cim-i^m an execution of A such that utrace(a) = /3 and ZQ.fstate G 0. 
By the definition of untimed execution trace, let a„_i = Tb«o l^Z be the prefix of a such that 
utrace(a,,-i) = j8„_i, and let A(j8„_i) = So-.-Sn-i- By inductive hypothesis, we have that [T/./va/J G 
S„_i. Consider now the finite execution a' = T/a/ . . .a OT _iT OT such that a = a n -\a' . By the definition of 
untimed observation trace, we have that utrace(a') = O n -\a n -\O n and thus, by the definition of A, that 
[r OT; /va/| G A(S„_i,a„_i,O ra ) = S„. To prove the converse implication, let [v] € §„■ By definition of A, 
this implies that there exists a finite execution y = To^o • • -a m -\X m such that [To./va/] G S„-i, utrace(y) = 
O n -\a n -\O n , and % m .fval G [v]. By inductive hypothesis, we have that there exists a finite execution 
Y = ZqCIq . . .aJ^Tj such that utrace(Y) = j3„-i, x' .fstate G ®, and %[.fval G S n -i. Hence, the finite 
execution £ = Tq<3 . . . aj_ t Toflo • • • ^m-i^m is a valid execution of A respecting the desired properties. □ 

Given the partition of the equivalence classes in S/^ between faulty and non-faulty ones, we can 
distinguish between three different kinds of states § G 2 s /~ of the state estimator: 
faulty states such that § C Sf/~, 
non-faulty states such that S C S„/~, and 

indeterminate states that contains both faulty and non-faulty equivalence classes. 
It turns out that there exists a winning strategy for the diagnoser on the Fault Detection Game played on 
A if and only if there are no loops of indeterminate states reachable from the initial states of the estimator. 

Theorem 4.6. Given a hybrid automaton with faults A, an observation Qfor the external variables, and 
a bisimulation with finite index ~C S x 5 that respects 0, we have that there exists a winning strategy 
for the diagnoser in the Fault Detection Game played on A from the initial sates ® if and only if there 
are no loops of indeterminate states reachable from the initial states IT of the state estimator for A. 

Proof. Let £ = (2@/~ ,Tl,A) be the state estimator for A, and suppose that there are no loops of indeter- 
minate states reachable from the initial states IT. Then we show how to define a winning strategy for the 
diagnoser in the Fault Detection Game played on A from the initial states &. Given a finite observation 
for the fault diagnosis game o = (Oo,do) ^> (0\,di) . . . (O n ,d n ), we define the corresponding 
untimed observation trace utrace(o) = OqUq . . .ai-\0\ by removing all diagnoser moves and ignoring 
the di component of the positions. Let A(Oo«o • • • &i-\.Oi) = So • • • §/■ We define the strategy A on a as 
follows: 



Now, let p = (vo,^o) (vi,<ii) -A- ... be an infinite run of the game compatible with A, let a = 
utrace(obs(p)) = Ooa\0\a2 ... be the corresponding infinite untimed observation trace, and let A(a) = 
§oSi§2 • • Two cases may arise: 

• p is faulty. Since there are no loops of indeterminate states in £, from Lemma 1431 we can conclude 
that there exists i ^ such that for every j ^ i §>j is a faulty state of the estimator. Hence, the 
strategy X is such that there exists k such that mt = yes, and thus p is winning for the diagnoser. 

• p is non-faulty. From Lemma FOI we can conclude that all S, are either non-faulty or indeterminate. 
Hence, the strategy A is such that m, = no for every diagnoser move, and p is winning for the 
diagnoser. 




yes if S/ is a faulty state of £ 
no otherwise 



In both cases the diagnoser wins the game, so we can conclude that A is a winning strategy for the 
diagnoser in the Fault Detection Game on A from the initial states &. 
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Conversely, suppose that there exists a loop of indeterminate states reachable from n in £. This im- 
plies that there exist an indeterminate state S and two time-abstract observation traces a = Ooao ...a n -\O n 
and j3 = O n a n . . . a m - \ O m such that: 

1. A(§o, a) = §o • ■ . §„ is such that So £ n and S„ = S, and 

2. A(S„, j3) =§>„... S m is such that S„ = S m = S and §,■ is an indeterminate state for each n ^ m. 
Now, suppose by contradiction that there exists a winning strategy X for the diagnoser, and consider the 
infinite time-abstract observation trace y = a/3/3/3 . . .. Two cases may arise: 

• For every finite prefix y of J, X (y) = no. By Lemma 1431 since every state in /3 contains a faulty 
equivalence class, we have that there exists a faulty execution a of A such that utrace(a) = y. 
This implies that it is possible to build an infinite faulty run of the game that is winning for the 
environment, against the hypothesis that X is winning for the diagnoser. 

• There exists a finite prefix y of y such that A(y) = yes. By Lemma 1431 since every state in /3 
contains a non-faulty equivalence class, we have that there exists a non-faulty execution a,- of A 
such that utrace(cCj) = y. This implies that it is possible to build a run of the game that is winning 
for the environment, against the hypothesis that X is winning for the diagnoser. 

In both cases a contradiction is found, and the thesis is proved. □ 

Let T be a logical theory. If all the components of a hybrid automaton with faults A are definable in 
X, we say that A is definable in T. Moreover, a class of hybrid automata with faults £ is definable in T if 
every A G £ is definable in T. The previous theorems shows that the state estimator can be used to define a 
winning strategy for the diagnoser in the Fault Detection Game. However, it does necessarily implies that 
we can compute such a strategy, since the theory used to define the automata is not necessarily decidable. 
Moreover, even when T is decidable it is not guaranteed that a bisimulation with finite quotient that can 
be effectively computed. The following theorem states that if some conditions on the considered theory 
and on the observation of external variables are respected, then Theorem 14.61 provides an algorithmic 
solution to the diagnosability and the diagnoser synthesis problem. 

Theorem 4.7. Let T be a decidable theory. Let (£be a class of Hybrid Automata with Faults that can be 
defined in T and such that for every A in <t, there exists a bisimulation with finite quotient ~ that can 
be effectively computed. Then the time-abstract diagnosability problem in the class £ is decidable for 
every observation definable in T. Moreover, a winning strategy for the diagnoser can be computed, if 
possible. 

Proof. To prove that that both the time-abstract diagnosability and the time-abstract diagnoser synthesis 
problems are decidable we have to show how to compute a state estimator £ for the automaton A. 

First of all, let be a definable observation for the external variables, and let ~ a bisimulation with 
finite quotient for A. In general, it is not guaranteed that ~ respects 0. However, since is definable 
in % and T is decidable, we can always refine ~ to a finer bisimulation respecting by using the 
bisimulation algorithm given in ifTOl fl4"1 . Since both and S/~ are finite sets, to prove that E can be 
effectively computed it is sufficient to prove that the the transition relation A is computable. Given a state 
S of the estimator, an action a £ E, and an observable O € 0, computing the successor state A(S,a, O) 
can be reduced to a reachability problem on A. Since it is known that reachability is decidable for all 
classes of hybrid automata for which there exists a bisimulation with finite quotient that can be effectively 
computed, then A is computable and there exists an algorithm that can build the state estimator for A. 

Once that the state estimator £ has been built, we can use it for solving both the time-abstract diag- 
nosability and the time-abstract diagnoser synthesis problems as follows. 
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• From Theorem 14.61 we know that there exists a winning strategy for the diagnoser in the Fault 
Detection Game if and only if there are no loops of indeterminate states in £. Since the state 
estimator is a finite automaton, existence of such loops can be determined by computing a depth- 
first visit of £, and thus the time-abstract diagnosability problem is decidable. 

• The proof of Theorem 14. 6 I shows how the state estimator can be used to define a winning strategy 
for the diagnoser in the Fault Detection Game. Since the the state estimator can be effectively 
computed, we have that such a strategy can be computed. 

Hence, both problems are decidable under the considered assumptions. □ 

This decidability results is very general: examples of classes of hybrid automata that respects the 
conditions of Theorem 14.71 are Timed Automata [3 ], Simple Multirate Automata [2], O-minimal Hybrid 
Automata ifTUl l20l . and STORMED Hybrid Automata OTTl . Hence, for all such classes of systems, 
the time-abstract diagnosability problem and the time-abstract diagnoser synthesis problem is decidable. 
Moreover, the discovery of more classes of hybrid automata respecting the conditions of the theorem 
immediately leads to new classes of systems for which the two fault-diagnosis problems considered in 
this paper are decidable. 

The complexity of the two problems depends on the size of the bisimulation quotient S/„: if n 
is the number of equivalence classes, then the size of the state estimator £ is exponential in n. Since 
computing a depth-first visit on a finite transition system is in LOGSPACE, we have that the time- 
abstract diagnosability problem is solvable with polynomial space w.r.t. n. Theorem 14.71 proves that 
solving the time-abstract diagnoser synthesis problem corresponds to compute the state estimator £ for 
the considered system. Hence, this second problem can be solved using an exponential amount of time 
w.r.t. n. 

It is worth to notice that for most classes of hybrid automata, like Timed Automata, Initialized Rect- 
angular Automata, and of o-minimal systems, like Pfaffian Hybrid Automata, the number of equivalence 
classes in S/~ is exponential in the size of the automaton. Hence, for those classes the time-abstract 
diagnosability problem is in EXPSPACE and the time-abstract diagnoser synthesis problem is in 2- 
EXPTIME. 

5 Conclusions 

In this paper we studied the fault-diagnosis problem for hybrid systems from a game-theoretical point of 
view. We used the formalism of hybrid automata for modeling hybrid systems with faults and to define 
the notions of diagnosability and time-abstract diagnosability. We focused our attention on time-abstract 
diagnosability and we defined a Fault Diagnosis Game on hybrid automata with faults between two 
players, the environment and the diagnoser. Existence of a winning strategy for the diagnoser implies that 
faults can be identified correctly, while computing such a winning strategy corresponds to implementing 
a diagnoser for the system. Finally, we shown how to determine the existence of a winning strategy, and 
how to compute it, for all classes of hybrid automata definable in a decidable theory T and such that a 
bisimulation with finite quotient can be effectively computed, like timed automata and o-minimal hybrid 
automata. 

The results presented in the paper can be extended in many directions. First of all, by considering the 
stronger notion of diagnosability instead of time-abstract diagnosability. Then, by extending the results 
also to undecidable classes of hybrid automata, by exploiting abstraction refinement and approximation 
techniques. Finally, in the current framework there is no upper bound on the time that elapses between 
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the occurrence of the fault and the detection by the diagnoser. We envision the extension of our approach 
to reward and priced hybrid games [ 1 8 ] as a possible way to provide minimal-delay strategies for the 
diagnoser. 
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